After paying $350 for his QuietComfort 35 headphones, [Kyle Zak] said he took Bose’s suggestion to “get the most out of your headphones” by downloading its app, and providing his name, email address and headphone serial number in the process.

But the Illinois resident said he was surprised to learn that Bose sent “all available media information” from his smartphone to third parties such as Segment.io, whose website promises to collect customer data and “send it anywhere.”

This doesn’t appear to be a simple case of Zak failing to read the app’s privacy policy in full. I downloaded the Bose Connect app and read its privacy policy and terms and conditions. While both explain that the app uses analytics software, nowhere in either document does it say that it will transmit listening habits.

This is alarming when you consider how unique someone’s music library and listening habits are. Ben Dodson found that apps in iOS had an unlimited ability to dump a user’s music library into a text file and upload it to the cloud. In iOS 10, Apple began requiring authentication when an app wants to access the music library.

What I don’t see in Stempel’s report is anything indicating whether the Bose app was merely using library data, or if it was sending information about the actual audio passing through the app. That makes a big difference — imagine if a Bose owner received a phone call through the headphones.